Wednesday, August 10, 2011


Today I am going to show you how to use EpicLeech.EXE to leech username lists from public forums. This tool can be very handy in putting together valid user list for targeted bruteforce attacks, which speeds things up considerably since you are using known usernames instead of bruteforcing both user and pass. It can be a little tricky at first but if you stick with it you can set up new site configurations in very little time. Here goes, try to keep up…
·         EpicLeech.EXE (with a handful of configurations already done for you) which you can download from here:
·         Target site with publicly available members page (i.e. no login required to view list)
o   Use Google, try:” inurl:members.php”

Open EpicLeech.EXE p and it should look like this:
In order to create our own click the “Login Editor” button in the lower right, should open a new window that looks like this one:

This is what we will use to create our own custom template so that we can leech a large username list from our target site.
I should call out that this will only work if you can view the members list of the target website without needing to login. You first need to have a target site in mind that you eventually want to try and bruteforce/dictionary attack to find valid credentials. You can use Google to find them, if you need some quick examples to get you started just type “forum, members list” in Google or use your own creative dork and you will find an endless list of possibilities. Once you have found one you want to use, you will need to open it up in your favorite browser and then click on page 2 of the members list, so we can see how it is sorting the pages. You should find that the URL link will have either “page=” or “st=”.  We will use this to set the “Sort Option” on the Epic Leech options, just make sure they match how the target site is sorting and you will be fine (it is pretty easy to match up). Here is a quick recap, now that we have some basic info gathered:
Example Link to Members Page:
The “Name” field is optional and is what will show up in the leech options for the profile. The host name is the site we will be targeting. The GET string is the trailing url or directory path to send the requests to. You will need to change the page number at the end to [MPP], so that the tool knows to replace this parameter based on the details provided for Users Per Page and # of Pages when doing the actual leeching. You can pull the info for Users Per Page and the # of Pages fields from the actual website, you might have to do some quick math or possible click the link to go to last page to see how many there actually are.
OK, so that is the basics…now we need to determine the correct parsing options which will tell the EpicLeech.EXE tool how to pull the data from the source code of the pages it is requesting. If you mess this up you will get more than just the user names and it will make it fairly useless to you so make sure you get this part right! You need to go back to your browser opened to the member page from earlier, and make the necessary clicks to view the source code of the page. You will want to take note of at least one username on the page, as we will use “CTRL+F” on the source code page to quickly find that same username in the source code. This will make things a bit easier in determining where we need to identify the proper UNIQUE tags to use.
This is the actual code for the username is below, note that the username is “-mk-” that I am focusing on to find the tags to use for parsing.
</tr><tr align="center">
<td class="alt1Active" align="left" id="u34580">
         <a href="member.php?u=34580">-mk-</a>
         <div class="smallfont"><a style="text-decoration:none; color:#000088;" href="member.php?u=34580" title="No Releases">Member</a></div>
<td class="alt2"><a href="search.php?do=finduser&amp;u=34580" rel="nofollow"><img src="images/cstyle/blue/buttons/find.gif" alt="find.gif" title="Find all posts by -mk-" border="0" /></a></td>
<td class="alt1">08 May 2003</td>
<td class="alt2">11</td>
<td class="alt1">07 Jul 2009</td>
<td class="alt2"><img class="inlineimg" src="images/reputation/reputation_balance.gif" alt="-mk- is an unknown quantity at this point" border="0" /></td>

You will need to determine if you need to use single parse technique or double parse. In this example, we will need to single parsing technique to work correctly.  If the tags we were using appeared elsewhere in the code, we would need to use the double parsed technique to properly extract from this target due to the fact that the code appears in more than one place. The reason being, is that the HTML code and tags occur in more than place in the source code (not just around username), so we either need more unique tags (which are not available), or we do a double parse. Double parsing works by identifying a set of tags to mark in the first run, and then it looks inside of those tags and parses again using second set of tags. This way if the second sets of tags are not present then no extraction occurs. This will help us filter garbage out and focus on usernames since both conditions must be true.  Trial and Error will help you to figure this out if you don’t pick it up right away, just keep playing with the tags you are using to see how it affects what is extracted as a “username”. If you cant get any success with single parsing, try double parse and secondary tags to help narrow down your results.   

Using the example code above we would need to parse between ‘title="Find all posts by’ and ’border="0"’. Just so you know I tried using single and double parsing to pull the first occurance of the username in the code example above but was not able to properly get things to extract correctly, so I moved lower in code and realized it also has entry for linking to each usernames posted threads. This allowed me a second chance to try things out which are working at the moment I wrote this, here is the final configuration I came up with:
You have just created your first leeching profile. Hit the “Save Site” button and you can then see your new profile in the available options list to start leeching from. Go ahead and fire it up and start testing it, if there is too much being pulled in then you may need to review the tags being used for parsing and then adjust until you can find the right one that works for your particular target. Also be aware that sites tend to make updates all the time so a profile may work one day and be worthless the next, but now that you know how to make your own so it won’t be an issue anymore. I hope you have enjoyed this brief overview on creating username lists from forums with publicly available members lists, and feel free to use this template for the Vbulletin forums if you like. I will try to do a follow up series on how to use this list in other tools like Villain, Apex, or your cracker of choice to find tons of valid credentials to various other sites.
Proof it works (also see list included with download):
Rinse, wash, and repeat as needed. Until next time, Enjoy!

1 comment: